Sit down, grab a cup of coffee, and enjoy a CISO Conversation. Our CISO Conversations feature the kinds of top-of-mind questions you might typically ask a CISO about their business, security challenges, and thoughts about cybersecurity policy.
These featured CISOs from across the United States represent a variety of Fortune 1000 companies and other large organizations, and they are at the forefront of cybersecurity. They’re the ones in the trenches battling against millions of cyberattacks, securing information ranging from intellectual property to PII, and complying with many federal and state regulations that often frustrate—rather than help—their efforts.
Offering a practical point of view about cybersecurity issues of the day, these CISOs provide insights about emerging trends, cybersecurity policy and legislation, and the role of the CISO.
To sum it up in one word: dialogue. And that’s dialogue with transparency. The security function in the private and public sector has realized that we're really all in this together, so if you're a company that's getting attacked by a nation state or a state-sponsored group, you're fighting a losing battle going at it alone. Being able to collaborate and consult with each other on these issues is a big advantage.
The first thing I would point to would be the increased collaboration between organizations. Some of that can look like the ISATs between different industries, but some of it can also take place within certain kinds of verticals, just the security teams talking to one another more often within a certain vertical, like we do in higher ed.
The increased visibility and attention that cybersecurity is getting is a positive thing, whether it is something we did right, or something that organically occurred. When I started in this industry, I was literally in a basement at the large investment firm I worked for. We got very little attention from our leadership, and the thought was just, “Yeah, I guess we should do some security stuff, throw some money at it”.
A few things that I've noticed is that there seems to be more of an effort to define the terminology that drives security. For example, we hear the term "due diligence" a lot in the security field. And there's been more of an effort to define exactly what that means. In the past, a lot was left to interpretation for each specific industry. And I think the government's kind of stepped in to try and help define exactly what due diligence is all about.
Overall, it has to be awareness of cybersecurity issues. I’ve seen a dramatic increase in awareness around cybersecurity and the challenges it presents to business today at almost all levels. And with that awareness comes the opportunity to address and solve problems.
The biggest change is that people are now really taking cybersecurity seriously. It’s not “The guys in a black T-shirt in the corner of the room trying to protect the network”. It has become a significant business problem as well as a personal problem.
From my perspective, the collaboration and conversation that has been occurring within business, industry and government has really allowed us to look at the way we used to do things and how we improve. I'm not looking for prescriptions, but direction is nice. And to know what my peers are doing. Many of the meetings we attend today are specifically about getting together with peers and discussing problems and challenges and how you're meeting those. So just the fact that industry has opened up to be able to have that cooperative conversation is important.